windows-logon-process-on-a-domain
WinLogon's first phase is [Ctrl][Alt][Delete], Windows' default Security Attention Sequence (SAS). This sequence signals to the operating system that someone is trying to log on.
When SAS is initiated, all user mode applications pause until the security operation is completed or cancelled. This suspension of user mode applications is a significant security feature. Keystroke loggers or Trojan viruses are disabled and prevented from recording keystrokes as users input their passwords.
(unless they're hooked into the OS dll's)
The WinLogon process is a part of the Local Security Authority (LSA) for the Windows operating system logon procedure. To complete this procedure, the OS authenticates the user's credentials with a logon server and, depending on the type of authentication, the logon could fail if the proper ports and protocols between the client and the server aren't open.
NT LAN Manager (NTLM) is the default authentication scheme used by the WinLogon process; NTLMv2 is the current standard (winxp+)
Three ports between the client and domain controller (DC):
UDP 137 - UDP 137 (NetBIOS Name)
UDP 138 - UDP 138 (NetBIOS Netlogon and Browsing)
1024-65535/TCP - TCP 139 (NetBIOS Session)